Big Announcement, Small UAS: FAA Launches Commercial Drone Proceeding

            Unless you have been completely disconnected from all media, you are probably already aware that on Sunday, February 15, 2015, the FAA announced the release of its long-awaited rules to govern commercial sUAS (small unmanned aircraft systems) operations in the United States. The FAA’s proposed sUAS rules arrived like a barely-late valentine or box of candy, with the recipients hoping to read loving prose and enjoy fresh, rich chocolates. At this point, of course, the rules are merely a proposed regulatory regime (as embodied in a document that is called a “Notice of Proposed Rulemaking” or “NPRM”), and it will surely take many months—probably a couple of years—for the rules to be finalized and adopted, and to go into effect. (Only then will we know for sure whether the valentine message was really a “dear John” letter or whether the candy was stale and half-eaten.) It is important to understand that, for now, the FAA’s current prohibition on commercial UAS operations remains in effect, except for operators that have obtained a Section 333 Exemption from the FAA. (To date, nearly 30 entities have received exemption grants from the FAA.)

            The proposed regulatory regime was described by the FAA on a February 15 press conference call as a “very flexible framework” that will “accommodate future innovation in the industry.” While industry stakeholders may ultimately disagree over just how flexible the proposed rules are or should be, stakeholders do generally agree that the FAA’s release of the NPRM is a big step (albeit somewhat overdue) in the right direction. You can access the FAA’s NPRM here. (The FAA also published a “fact sheet” as well as a short summary of the highlights of the proposed rules.)

Proposed sUAS Rules

            Among the various limitations that the FAA has proposed for commercial sUAS operations are the following (caveat: this is neither an exhaustive nor detailed list of all the operational limitations and requirements proposed in the NPRM):

  • Vehicles subject to the sUAS rules will be defined as aircraft that weigh less than 55 pounds (25 kg)
  • Only visual line-of-sight (“VLOS”) operations will be allowed; i.e., the small unmanned aircraft must remain within VLOS of the operator or visual observer (“VO”) (i.e., if a VO is used; the proposed rules allow—but do not require—the use of a VO)
  • No person may act as an operator or VO for more than one unmanned aircraft operation at one time
  • Pilots of sUAS will be considered “operators.” Operators will be required to:
    • Pass an initial aeronautical knowledge test at an FAA-approved knowledge testing center;
    • Be vetted by TSA (Transportation Security Administration);
    • Obtain an unmanned aircraft operator certificate with an sUAS rating (like existing pilot airman certificates, it will never expire);
    • Pass a recurrent aeronautical knowledge test every 24 months;
    • Be at least 17 years old;
    • Make available to the FAA, upon request, the sUAS for inspection or testing, and any associated documents/records required to be kept under FAA rules;
    • Report an accident to the FAA within 10 days of any sUAS operation that results in injury or property damage;
    • Conduct preflight inspections to ensure the sUAS is safe for operation.
  • At all times the small unmanned aircraft must remain close enough to the operator for the operator to be capable of seeing the aircraft with vision unaided by any device other than corrective lenses (the use of binoculars would not satisfy this restriction)
  • sUAS operations may not occur over any persons not directly involved in the operation
  • sUAS operations must occur during daylight hours only (official sunrise to official sunset, local time)
  • Small unmanned aircraft will be required to yield right-of-way to other aircraft, manned or unmanned
  • Small unmanned aircraft will be allowed to operate with a maximum airspeed of 100 mph (87 knots)
  • Small unmanned aircraft will be allowed to operate at a maximum altitude of 500 feet above ground level
  • sUAS operations will be permitted to occur only when conditions allow minimum weather visibility of 3 miles from the control station
  • Limitations in airspace classes:
    • No sUAS operations will be allowed in Class A (18,000 feet & above) airspace
    • sUAS operations will be allowed in Class B, C, D and E airspace only with ATC (Air Traffic Control) permission
    • sUAS operations in Class G airspace will be allowed without ATC permission

Many of these requirements dovetail with (or are at least similar to) the limitations, requirements, and restrictions that have been imposed by the FAA in its various Section 333 Exemption decisions. In fact, some of the rules proposed in the NPRM would be less restrictive and more flexible than those imposed on operators in certain Section 333 Exemption decisions.

“Micro” UAS and Model UAS

        NPRM proposes a “micro” UAS classification that contemplates operations of small unmanned aircraft that weigh up to 4.4 pounds (2 kg; small-scale sUAS and hence “micro”), only in Class G airspace, only during daylight hours, at altitudes no higher than 400 feet AGL. Micro UAS operations would be permissible over people not involved in the operation of the unmanned aircraft, provided the operator certifies he or she has the requisite aeronautical knowledge to perform the operations. Other, additional restrictions, as set forth in the NPRM, would apply to the proposed micro UAS classification.

With respect to hobbyists who fly model unmanned aircraft for recreational purposes, the NPRM does not propose to change the rules of the road for such hobbyists, so long as their operation of model UAS satisfies all of the criteria applicable to model unmanned aircraft.

Presidential Memorandum: UAS Privacy Framework 

           In addition to—and presumably in concert with—the FAA’s release of the NPRM, President Obama on the morning of Sunday, February 15, issued a Presidential Memorandum aptly titled “Promoting Economic Competitiveness While Safeguarding Privacy, Civil Rights, and Civil Liberties in Domestic Use of Unmanned Aircraft Systems” (“UAS Privacy Memorandum”) in order to create a framework to begin to address some of the privacy concerns that have been voiced by the American public (and even by a U.S. Supreme Court Justice). (Reports had surfaced months ago suggesting that the UAS Privacy Memorandum was in the works.)

            Among other things, the UAS Privacy Memorandum requires federal agencies, “prior to deployment of new UAS technology and at least every 3 years, [to] examine their existing UAS policies and procedures relating to the collection, use, retention, and dissemination of information obtained by UAS, to ensure that privacy, civil rights, and civil liberties are protected. Agencies shall update their policies and procedures, or issue new policies and procedures, as necessary.” In addition, federal agencies must “establish policies and procedures, or confirm that policies and procedures are in place, that provide meaningful oversight of individuals who have access to sensitive information (including any PII [personally identifiable information]) collected using UAS . . . [and] require that State, local, tribal, and territorial government recipients of Federal grant funding for the purchase or use of UAS for their own operations have in place policies and procedures to safeguard individuals’ privacy, civil rights, and civil liberties prior to expending such funds.” These requirements represent a logical and reasonable starting point for ensuring privacy protection at the federal level if and when agencies engage in UAS operations.

            Also of significance, the UAS Privacy Memorandum tasks NTIA (the National Telecommunications and Information Administration) to initiate, by mid-May 2015, a “multi-stakeholder engagement process to develop a framework regarding privacy, accountability, and transparency for commercial and private UAS use.” As such, the UAS Privacy Memorandum provides a formal structure in which various aspects of privacy that will be implicated by commercial and private UAS operations can and will be debated and addressed. As with the sUAS rules themselves, only time will tell whether the final results of the UAS Privacy Memorandum are weak or strong, satisfactory or dissatisfactory to UAS stakeholders, including the American public generally.  

 Issuance of the NPRM Doesn’t Mean You Can Ignore State Law

            State and local jurisdictions continue to contemplate legislation governing the use of UAS by individuals, commercial entities, and law enforcement, and much remains to be written about such ongoing efforts. As I’ve written previously, the State of North Carolina enacted several provisions governing UAS in 2014. Until the FAA’s rulemaking results in final rules, many of the North Carolina provisions are of little practical significance. Nevertheless, drone enthusiasts in North Carolina must remain mindful of these state-specific laws, as should any UAS operator in any other state with applicable laws in place.

More to Come

            For many industry stakeholders and drone enthusiasts, the release of the NPRM surely represents a “Harry Potter” moment: when a new Harry Potter book hit the bookshelves, people would line up for hours to get a copy and would stay up all night and skip school or work in order to read it. I’m certain that a similar phenomenon has been underway since Sunday, February 15, when the NPRM first became available on the FAA’s website. (I would hazard a guess that the FAA’s website had more traffic on February 15 than any other day in the history of While I don’t recommend that anyone play hooky from work or school in order to read the 195-page NPRM, I do encourage you to celebrate President’s Day (February 16) by reviewing the NPRM—while the FAA Staff enjoys its well-deserved federal holiday—and I do wish you all happy reading and sweet, post-valentine dreams. 

            Onward and upward (but, until the FAA issues final rules, not without an exemption or not more than 400 feet, please, with a model drone used solely for recreational purposes)! 


Sony Employees Sue, Calling the Breach an "Epic Nightmare"

by Bryan Starrett, Employment Law Attorney,

You have probably heard about the recent data breach at Sony; after all, it’s not often that Kim Jong Un and Angelina Jolie are mentioned as part of the same story. Unlike other recent high profile hacks, the recent Sony hack appears to be somewhat different in character: the hackers appear to care most about using the information stolen from Sony to bring shame and scorn to the company, rather than for their own pecuniary gain.

And the story appears to continue down the proverbial rabbit hole, with reports of a tongue-and-cheek offer of investigative cooperation from the North Koreans, and the recent revelation that all of North Korea’s internet is down, perhaps in retaliation for the recent attacks.

Amidst the intense Hollywood and international intrigue, an important group of victims isn’t receiving much attention: Sony employees. Indeed, the hack has allegedly resulted in the theft of social security numbers, birth dates, health information, and other sensitive data from thousands of Sony employees. In response, two Sony employees swiftly filed a federal class-action lawsuit against their employer, summing up their claims in the opening paragraph of their complaint:

An epic nightmare, much better suited to a cinematic thriller than to real life, is unfolding in slow motion for Sony’s current and former employees: Their most sensitive data, including over 47,000 Social Security numbers, employee files including salaries, medical information, and anything else that their employer Sony touched, has been leaked to the public, and may even be in the hands of criminals.

The employees have brought claims for negligence, as well as for various statutory data breach claims under both California and Virginia law.

Unlike the more “typical” breach case, where customers are the victims of stolen credit card numbers or other personal information, this action is unique in at least two critical aspects: the nature of the data breached, and the employer/employee relationship between Sony and the plaintiffs. Employers often owe their employees heightened duties of care to their employees, thanks to the particular nature of the employer/employee relationship. However, the duties employers owe their employees regarding the protection of employee data is largely uncharted territory, and this action may shed significant light on the standard to which employers will be held in protecting employee data.

HHS Settlement Shows: "You'd Better Implement Those IT 'Patches' and 'Updates' or Be Ready to Pay the Price."

by Forrest Campbell, Health Law Attorney, 

In December 2014, the U.S. Department of Health and Human Services ("HHS") and Anchorage Community Mental Health Services ("ACMHS") settled alleged HIPAA violations for $150,000.

Don't be misled--this settlement is not important just for parties subject to HIPAA. It's important to anyone who maintains confidential information in electronic form.

Here's what happened according to HHS. ACMHS failed to regularly update its IT resources with available patches, and ACMHS used outdated, unsupported software. As a direct result of these two factors, malware was able to compromise the security of ACMHS's IT system, resulting in a data breach of the protected health information of 2,743 individuals. As HIPAA requires, ACMHS notified HHS of the breach, and an HHS investigation followed. The investigation led to the settlement. The period from the start of the investigation to the signing of the settlement was 2 ½ years--which probably represents a lot of hours and money for ACMHS.

These events show how important security patches and software updates are for all parties with confidential electronic information. If you fail to diligently implement patches and updates--no matter what business line you're in--malware might infiltrate your IT system and cause a data breach. Data breaches often require notice to the individuals affected and to state and federal authorities, and often lead to investigations, lawsuits, and/or settlements.

Apparently, ACMHS could have avoided the entire matter if it had implemented proper patches and updates.

Although the lessons from these events are important across all industries, parties subject to HIPAA should recall that the HIPAA security rule essentially mandates that critical security patches and updates be implemented. For example, the security rule broadly requires that HIPAA covered entities and business associates must:

SIFMA Issues Cybersecurity Regulatory Principles

by David Smyth, Securities Enforcement Attorney, at and blogger at Cady Bar the Door

Does everyone feel compelled to comment on cybersecurity issues? It seems that way. And on October 20th the Securities Industry and Financial Markets Association jumped deeper into the fray when it issued its Principles for Effective Cybersecurity Regulatory Guidance. SIFMA goes into substantial depth for each one in the document itself, but without further ado, here they are, followed by my comments or summaries on each:

1.     The U.S. government has a significant role and responsibility in protecting the business community.

My former boss John Stark likes to say, “A data breach is the only crime where you’re the victim and you’re treated like a criminal.” Probably true! In that spirit, SIFMA would like the government’s enforcement efforts to be focused on computer criminals and not securities firms that are doing their best to protect their clients’ information.

2.     Recognize the value of public–private collaboration in the development of agency guidance.

The Principles cite The National Institute of Standards and Technology’s Cybersecurity Framework (discussed here) as a useful model of public-private cooperation that should guide the development of agency guidance. Along those lines, SIFMA suggests that an agency working group be established that can facilitate coordination across government agencies and self-regulatory organizations, and receive industry feedback on suggested approaches to cybersecurity.

3.     Compliance with cybersecurity agency guidance must be flexible, scalable and practical.

Again with the NIST Cybersecurity Framework, which by its terms is “envisioned as a ‘living’ document, improved based on feedback from users’ experiences, while new standards, guidelines, and technology” are built into future versions. SIFMA thinks the same should be true for the standards and practices recommended by agencies.

4.     Financial services cybersecurity guidance should be harmonized across agencies.

Here’s what SIFMA says: “Financial regulators should coordinate to avoid a counter-productive proliferation of overlapping standards and overlapping regulators. A diffusion of regulatory principles undermines focus and diverts valuable resources for companies and agencies alike.” They’re right to say this, but oh, dear, this is hard. It’s not easy to get people on board within an agency, or even an agency division. Cross-agency coordination is well-nigh impossible.

5.     Agency guidance must consider the resources of the firm.

SIFMA rightly notes that “[s]ophisticated prevention measures are sometimes financially

prohibitive for smaller firms and burdensome standards could drive these important players out of the market.” Leaving financial services solely in the hands of giant players who can out-comply smaller ones would be horrendous.

6.     Effective cybersecurity guidance is risk-based and threat-informed.

This one is closely related to Nos. 3 and 5. Basically, SIFMA hopes there won’t be regulation for regulation’s sake. “Agencies should premise their guidance on a cost-benefit analysis that takes into account the benefits to firms and consumers versus the compliance costs and potential burdens suffered by consumers.”

7.     Financial regulators should engage in risk-based, value-added audits instead of checklist reviews.

I can’t help but see this as a shot at the SEC’s investment adviser cybersecurity examination module, publicly released in April 2014 to help advisers prepare for regulatory exams in this area. As Bob Plaze notes here, a one-size-fits-all checklist could be punitive for smaller firms that can’t afford to keep up.

8.     Crisis response is an essential component to an effective cybersecurity program.

Needless to say? SIFMA also says explicitly here what it merely implies in No. 1: “Both firms and their clients are the victims when breaches or incidents occur.”

9.     Information sharing is foundational to protection, must be limited to cybersecurity purposes, and must respect firms’ confidences.

While SIFMA appreciates the guidance the Justice Department and the Federal Trade Commission have recently given to assuage antitrust concerns associated with inter-firm information sharing to fight computer crime, more such assurances are always better. Put another way, don’t replace one regulatory concern (cybersecurity) with another (antitrust liability).

10. The management of cybersecurity at critical third parties is essential for firms.

Keeping a close watch on third-party vendors is a crucial cybersecurity issue for all businesses. SIFMA would like some help from the government on this huge job: “Regulators should increase their coverage of third parties and put pressure on these third parties to meet the regulatory expectations of the financial services firms that they serve.”


Be careful out there.

Ebola and HIPAA--OCR Issues Bulletin on HIPAA Privacy in Emergency Situations

by Forrest Campbell, Health Law Attorney,

In light of the Ebola outbreak, HHS's Office for Civil Rights ("OCR") issued a bulletin to accomplish two things: (i) ensure that HIPAA covered entities and business associates understand how PHI may be shared in emergency situations, and (ii) remind parties that HIPAA's privacy requirements are not set aside during an emergency. The bulletin can be accessed through this link

Health care providers nationwide are screening for individuals who potentially have Ebola virus disease. If such an individual is discovered, the provider suddenly will face a multitude of issues to address. If you have not already, now is the time to be proactive and review OCR's bulletin as a refresher on the basic rules for disclosures during an emergency.

The bulletin notes that, while HIPAA protects patient privacy, HIPAA is balanced to ensure that appropriate uses and disclosures of PHI still may be made when necessary to treat a patient, to protect public health, and for other critical purposes.

To this end, the bulletin reminds parties that PHI may be shared, as follows:

For Treatment. A covered entity may disclose PHI for its own treatment activities or the treatment activities of any health care provider. This includes disclosures for the coordination or management of health care and related services by one or more health care providers and others, consultations between providers, and referrals of patients for treatment.

For Public Health Activities. In recognition of public health authorities' need to access PHI for performing their public health mission, HIPAA permits covered entities to disclose needed PHI without individual authorization in various situations:

To a public health authority, such as the CDC or a state or local health department, that is authorized by law to collect or receive information to prevent or control disease, injury, or disability. This includes reporting diseases, injuries, and vital events (e.g., births or deaths); and conducting public health surveillance, investigations, and interventions. For example, a covered entity may disclose PHI to the CDC on an ongoing basis as needed to report all prior and prospective cases of patients exposed to or suspected or confirmed to have Ebola virus disease.

At the direction of a public health authority, to a foreign government agency that is acting in collaboration with the public health authority.

To persons at risk of contracting or spreading a disease or condition if other law, such as state law, authorizes the covered entity to notify such persons as necessary to prevent or control the spread of the disease or otherwise to carry out public health interventions or investigations.

Note: In each of these situations, other law, such as state law, must also authorize the agency to collect or review the information or authorize notice to an individual, as applicable.

With Family, Friends, and Others Involved in an Individual's Care. A covered entity may share PHI with a patient's family, friends, or other persons identified by the patient as involved in the patient's care (but only PHI directly relevant to the person's involvement with the individual's health care or payment). A covered entity also may share PHI as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient's care, of the patient's location, general condition, or death.

• The covered entity should get verbal permission from the individual or otherwise be able to reasonably infer that the patient does not object; if the individual is incapacitated or not available, covered entities may share information for these purposes if, in their professional judgment, doing so is in the patient's best interest.

• A covered entity may share PHI with disaster relief organizations (e.g., American Red Cross) that are authorized by law or by their charters to assist in disaster relief efforts, for the purpose of coordinating the notification of family members or other persons involved in the patient's care, of the patient's location, general condition, or death. It is unnecessary to obtain a patient's permission to share the information in this situation if doing so would interfere with the organization's ability to respond to the emergency.

For Imminent Danger. Covered entities may share PHI with anyone if necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. Note: The disclosure must be consistent with other applicable law (e.g., statutes, regulations, or case law) and applicable standards of ethical conduct.

With the Media or Others Not Involved in the Care of the Patient. Upon request about a particular patient by name, a health care provider may release limited facility directory information to acknowledge an individual is a patient at the facility and provide basic information about the patient's condition in general terms (e.g., critical or stable, deceased, or treated and released) if the patient has not objected to or restricted the release of such information or, if the patient is incapacitated, if the disclosure is believed to be in the best interest of the patient and is consistent with any prior expressed preferences of the patient.

OCR notes that in general, except in the limited circumstances described elsewhere in the bulletin, affirmative reporting to the media or the public at large about an identifiable patient, or the disclosure to the public or media of specific information about treatment of an identifiable patient, such as specific tests, test results, or details of a patient's illness, may not be done without the patient's (or representative's) written authorization.

Business Associates. Business associates may disclose PHI as permitted by the HIPAA privacy rule, such as disclosures to public health authorities, to the extent authorized by the business associate agreement.

Minimum Necessary . OCR reminds covered entities that for most disclosures the "minimum necessary" standard will apply. (Minimum necessary requirements do not apply to disclosures to health care providers for treatment purposes.) Covered entities may rely on representations from a public health authority or other public official that the requested information is the minimum necessary for the purpose. For example, a covered entity may rely on representations from the CDC that the PHI requested by the CDC about all patients exposed to or suspected or confirmed to have Ebola virus disease is the minimum necessary for the public health purpose.

Remember: Before making a disclosure addressed in the bulletin, a covered entity should review the particular HIPAA rule involved because many of the rules have specific, detailed requirements that must be met. In addition, certain of these HIPAA rules will require that applicable other law (such as state law) also be considered and followed.

Forrest W. Campbell, Jr. practices in the Greensboro office of Brooks, Pierce, McLendon, Humphrey & Leonard, LLP. His practice is dedicated to health care. You are welcome to contact him at 336.373.8850 or

Mobile is on the FTC's Privacy Agenda--Get Mobile Policies and Practices in Order

In remarks delivered at the 2014 BAA Marketing Law Conference, Jessica Rich, director of the FTC’s Bureau of Consumer Protection, confirmed that, when it comes to privacy, the FTC is focusing on mobile technologies in a big way.   

This is nothing new—the FTC has brought a number cases in the past couple of years.  2014 was an especially active one, though.  For example, the FTC and Apple settled a complaint alleging Apple billed consumers for millions of dollars of charges racked up by children in kids’ mobile apps without first getting parental consent for those purchases.  The FTC filed similar complaints against Amazon and Google involving in-app purchases by kids.  Google decided to settle with the FTC while Amazon has geared up for a fight.

Earlier in the year, the FTC, the FCC, and certain states reached a $105 million settlement with AT&T involving claims that AT&T unlawfully billed customers for unauthorized third-party charges—also known as mobile “cramming.”  The regulators alleged that AT&T billed its customers for subscriptions for ringtones, text alerts, horoscopes, and other services, keeping a portion of the fees from themselves.

And more recently the FTC again went after AT&T, this time for limiting the availability of data in its “unlimited data” plans, a practice known as “throttling.”  The agency claims the throttling is unfair and deceptive because AT&T had promised unlimited data, and then reduced data speed without informing its customers.

I’m not saying these things are related, but, with all this negative publicity and enforcement activity, is it any wonder that AT&T was in the news soon after the throttling claims—this time announcing that it had stopped using hidden “supercookies” to track mobile users’ online activity? 

The FTC mobile enforcement actions are obviously targeting high-profile companies.  But what does it mean for smaller operations?

It means that mobile is a priority for the FTC and is likely to remain so in 2015. Those operating in the mobile space (app providers, developers, marketers, others) should be careful.  If you haven’t already, get your privacy policies and practices in order now, on the front end, before any complaints from consumers, state regulators, or the FTC occur.  Engaging in “Privacy by Design” now will save you time, energy, and money later if a complaint or enforcement action is initiated.

Regulation From All Sides?--The FCC and FTC Tag-Team Privacy and Data Security

The U.S. Federal Trade Commission usually gets much of the glory for policing privacy and data security issues. For example, just a few months ago the FTC achieved a settlement requiring Fandango and Credit Karma to establish comprehensive data security programs and biennial security assessments following charges that the companies misrepresented to consumers the level of security of their mobile apps and failed to secure the transmission of consumers’ sensitive personal information. And who could forget the FTC’s Google Buzz settlement from 2011?

But recently the FTC has been sharing the privacy and data security spotlight with a different agency—the U.S. Federal Communications Commission. What?

In a post late last year, Jedidiah Bracy wondered if the FCC was becoming envious of the FTC’s enforcement role in the privacy arena. He speculated that we’ll see more jurisdiction-sharing between these two federal agencies in this area over time. 

I think Jedidiah is right. 

Exhibit A: Last fall, the FCC announced its very first data security enforcement action. The full text of the FCC notice proposing the fine is linked here. In this case, the FCC proposed a $10 million fine against two telecommunications companies, TerraCom and YourTel, for alleged violations of provisions of the Communications Act and FCC rules that require companies to protect the privacy of phone customers’ personal information. According to an FCC announcement, “[t]he companies allegedly breached the personal data of up to 305,000 consumers through their lax data security practices and exposed those consumers to identity theft and fraud.”  The data at issue were the social security numbers, names, addresses, driver’s license numbers, and other sensitive information of low-income consumers who provided the data to establish eligibility for Lifeline telephone services. The personal information was allegedly exposed to public view on the Internet (and apparently discovered by investigative reporters) without any password protection. The harm was compounded when the companies allegedly failed to notify all potentially affected customers of the breach. 

The Communications Act requires telecommunications carriers to protect the confidentiality of consumer “proprietary information,” and requires telecommunications carriers’ practices related to providing communication services to be “just and reasonable.” According to the FCC, TerraCom and YourTel violated these requirements. Among other things, the companies failed to employ reasonable data security practices to protect consumer proprietary information and misrepresented their data security practices in their privacy policies.

In addition to being the FCC’s opening salvo in the data security area, this recent action is the largest proposed privacy fine in the FCC’s history. 

Exhibit B: Just over a month earlier, the FCC adopted a settlement with Verizon, in which Verizon agreed to pay a $7.4 million fine to settle an FCC investigation of allegations that Verizon used its customers’ personal information when tailoring marketing campaigns without first providing notice and obtaining customer consent (as required by FCC rules implementing the Communications Act).

The good news is these cases don’t mean that all companies must add the FCC to the list of potential regulators that may bring privacy and data security enforcement actions against them. For one thing, both the TerraCom/YourTel and Verizon enforcement actions involve telecommunications companies otherwise subject to the jurisdiction of the FCC. Not every business falls within the scope of the Communications Act—not by a long shot. 

But what I think these cases illustrate well is that the FCC sees itself as, among other things, a consumer protection agency. It shares this world view with the FTC. These two cases show us that, like the FTC, the FCC is willing to “go big” in the area of consumer privacy and data security for those companies where the FCC has a regulatory hook—that means wired and wireless telecommunications providers as well as cable, satellite, radio, and television companies. The FCC has some privacy and data security muscle that it is apparently ready, willing, and able to flex.

FTC Sues Debt Broker for Posting Debt Portfolios Online

by David Smyth, Securities Enforcement Attorney, at and Cady Bar the Door

On October 31st, the Federal Trade Commission sued St. Petersburg, Florida-based debt broker Bayview Solutions and two of its principals for posting the debt portfolios of 28,000 consumers online, including their bank account numbers and other identifying information. The “facts” that follow come from the FTC’s complaint. They may not be true!

Bayview’s Business

Bayview buys and sells portfolios of charged-off consumer debt for eventual collection by third-party debt collectors. One means of its business is through websites that provide a venue for debt sellers and buyers to identify one another and exchange information about portfolios they seek to trade. According to the FTC, one particular website Bayview uses is publicly accessible  and is not password-protected.  This website invites visitors to become members, but visitors can view and download its contents without becoming members.

Generally, sellers post summary information about the portfolios they’re offering, such as the number of individual debts in the portfolio, as well as the type, total face value, and general age of the debt, and the number of collection agencies that have tried to collect.  In some instances, sellers also post sample portions of their portfolios, but redact personal identifiers. Then buyers can contact the sellers for more information. So, as the FTC points out, sellers can market their portfolios on the site without disclosing consumers’ sensitive information. But that’s not how it always went. 

The Compromised Information

Instead, the FTC says that Bayview and owner Aron Tomko sales associate Jonathan Ortiz on at least 21 occasions have offered their debt portfolios for sale by posting them in the form of unencrypted, unprotected Excel spreadsheets.

Since July 16th of this year, they have posted at least 21 portfolios containing the unencrypted, unmasked, sensitive personal information of more than 28,000 consumers. Whoops. In addition to information about the consumer’s alleged debt, the information on the unprotected Excel spreadsheets has included the consumer’s first name; date of birth; city; state; email address; employer name; bank name; full bank account number; and bank routing number; and driver’s license. Though the defendants have partially redacted the consumers’ last names, street addresses, or telephone numbers, the FTC contends that information is easily discerned based on other disclosed information.

Perhaps worst from the FTC’s perspective, it alleges the consumers at issue would be unlikely to know that Bayview has and is openly disclosing their information, so they’re not in a position to protect themselves. The FTC claims Bayview could have averted the public disclosure of this sensitive information at virtually no cost by redacting it from the Excel spreadsheets, encrypting it, password-protecting it, or by offering to make it available through other secure means.

The Law

Many consumers have likely had their data compromised and thought, Man, that’s not fair. The FTC agrees! The Commission finds this sort of thing to be “unfair . . . acts or practices in or affecting commerce” in violation of Section 5 of the FTC Act. And if those unfair acts cause “substantial injury to consumers,” the FTC may be cued up to take action.

My Take

If the facts alleged are true, Bayview could have protected this information (and thus itself) better than it did. But in reading the complaint, one doesn’t get the feeling that the FTC loves Bayview’s underlying business of trading debt based on payday loans, “small, short-term, high-interest loans marketed to financially-strapped consumers.” Those who are in that business should be especially careful not to give law enforcement special reasons to attack what would be otherwise legitimate operations.

Drone Law Enacted as Part of North Carolina Budget Bill

On Saturday, August 2, the North Carolina General Assembly gave final approval to the Appropriations Act of 2014. The 260-page budget bill—which is now on the Governor’s desk—contains several pages governing the use and operation of unmanned aircraft systems (“UAS,” but known in common parlance as “drones”). The UAS provisions are similar to ones that were unanimously passed on June 25, 2014, by the North Carolina House, in the HB 1099.

Assuming the budget bill becomes law , what does its passage mean for North Carolina—which, by the way, should be aspiring to be “ascendant in UAS”—and for companies associated with, or in the production stream of, UAS? After all, the FAA appears to be far from achieving lift-off in its Congressionally-mandated UAS rulemaking proceeding: The U.S. Department of Transportation’s Office of the Inspector General recently observed in its June 26, 2014, Audit Report that the FAA “is behind schedule on most of the act’s [FAA Modernization and Reform Act of 2012’s] UAS provisions, and the magnitude of unresolved safety and privacy issues will prevent FAA from meeting Congress’ September 2015 deadline for UAS integration.” (It has been reported that President Obama may use an Executive Order to assign responsibility for generating UAS privacy regulations to the National Telecommunications and Information Administration (NTIA)—perhaps that would help bring resolution to the “unresolved privacy issues” referenced in the Audit Report.) And, while North Carolina was not selected by the FAA as a UAS test site, the North Carolina NextGen Air Transportation Center has obtained Certificates of Authorization (COA) to fly UAS in Hyde County, Butner, and elsewhere. So, again, with the FAA apparently stalled, and with NGAT operations taking off, what are the implications of the UAS provisions in the budget bill? It is difficult to say with certainty, but here are a few thoughts.

First and foremost, it means that the North Carolina General Assembly is paying attention. This is a good thing. To have the General Assembly engaged on this issue means that there are legislators who care about the technology and its economic potential and that there are commercial and governmental entities that are engaged and, in turn are engaging, legislators on the issue. This is important because NGAT cannot carry all the water alone to make North Carolina “Ascendant in UAS.”

Second, the General Assembly has recognized the continuing importance of privacy in a world where flying robots with cameras may soon become the norm. For example, the bill largely curtails the ability of people and entities—public and private alike—to conduct surveillance of people, their homes, and private property. (The legislation does not specifically define “conduct surveillance,” but judges and juries—not to mention cartoonists—are capable of working that out on a case-by-case basis.)

Third, the legislation shows the General Assembly’s astute recognition of the need to balance individual privacy with the critical function news gathering plays in our free, democratic society. Specifically, the legislation includes a provision exempting “newsgathering, newsworthy events, [and] events [and] places to which the general public is invited” from the general prohibition on “conducting surveillance.” Of course, the FAA’s current stance remains that it is illegal for journalists and newsgathering organizations to use UAS for newsgathering purposes (a position challenged earlier this year by several news organizations), but kudos to the North Carolina General Assembly for putting a high value on a free press and recognizing the importance of technological developments to the continued ability of newsgatherers to perform their critical societal function.

Fourth, the legislation restricts the ability of citizens to use UAS “to fish or to hunt.” Since the UAS provisions in the budget bill also make it a Class E felony “for any person to possess or use an unmanned aircraft or unmanned aircraft system that has a weapon attached,” the hunting limitation is reasonable, internally consistent, and, frankly, much appreciated. Although at least one commentator has suggested that the ban on hunting and fishing with UAS may be overly-restrictive because it may bar “using images from a small drone to help determine where to hunt or fish,” a close reading of the relevant provisions reveals that the bill only outlaws the use of UAS “to take” fish and wildlife and does not—at least not by its plain language—necessarily prohibit the use of UAS to find, track, or locate fish or wildlife for the purpose of engaging in non-UAS fishing or hunting. (CAVEAT: This is not a formal legal opinion about the scope of these provisions in the law!)

Finally, it cannot be ignored that the legislation contains the structure for the North Carolina Department of Transportation to establish a state licensing regime for UAS operators. It is admittedly difficult to argue with the wisdom of licensing commercial UAS operators. Nonetheless, the licensing provisions may have unintended consequences: the uncertainty they create may be viewed unfavorably by UAS stakeholders that might otherwise be interested in bringing business to North Carolina, the rightful epicenter of the UAS industry. While the potential federal preemption arguments would make for a fascinating discussion, any preemption discussion is premature, since we do not yet know what the FAA is going to do in this area. To be sure, the safety issues posed by commercial UAS operations are not to be taken lightly, and the General Assembly is to be commended for its foresight in that regard. On the other hand, as pointed out in the June 26, 2014, Audit Report, the FAA itself is struggling with how to safely incorporate small UAS into the national airspace—this may be an area better left to uniform, federal policy.

All UAS stakeholders that would like to see North Carolina ascend in UAS should be watching . . . I know my high school senior, for one, is . . . .

The Reporter's Privilege: Where Does The Proposed Federal Shield Law Stand And What Impact Would It Have?

The right of journalists to refuse to testify regarding information or sources obtained as part of the news-gathering process, known as the reporter’s privilege, has been recognized by 49 of the 50 states and the District of Colombia. However, these existing protections are only applicable in state court. Federal law offers no statutory reporter’s privilege, leading to high-profile federal court cases in which a journalist is forced to choose between revealing confidential sources or spending time in jail for contempt of court.

The most prominent recent example is the case of New York Times reporter James Risen, who wrote a book detailing the CIA’s effort to disrupt Iran’s nuclear program. The federal government sought to compel Risen’s testimony regarding his sources. The Fourth Circuit Court of Appeals ordered Risen to testify, and on June 2, the Supreme Court refused to hear Risen’s appeal. If the government does not withdraw its subpoena, Risen must testify or face jail time.

These events underscore the renewed calls for a federal “shield law” which would recognize a reporter’s privilege in federal cases. In late May, Rep. Alan Grayson (D-Fla.) proposed an amendment to an appropriations bill for the United States Justice Department and other agencies. The amendment states that none of the funds made available by the appropriations bill may be used to compel a journalist to testify about information or sources the journalist regards as confidential. The amendment passed with bipartisan support, and the appropriations bill itself passed the House. If the amendment survives Senate scrutiny and is enacted into law, it would apply to the Justice Department and federal prosecutors. But the amendment leaves some critical issues unaddressed. Specifically, it does not contain an exception for matters with potentially serious national security consequences, and it does not define who can claim protection as a “journalist.”

The House is not alone in contemplating how to recognize the reporter’s privilege. A Senate bill (S. 987) introduced in May 2013, referred to as the Free Flow of Information Act, passed through the Judiciary Committee in September. However, no subsequent action has been taken to bring the bill to the floor of the Senate for a vote, as there may not currently be sufficient support for the bill to pass (or survive a possible filibuster attempt).

The Senate bill is substantially more detailed than the House amendment to the appropriations bill. It would generally prevent federal entities from demanding a “covered journalist” comply with a subpoena or court order seeking to force the disclosure of protected information. The government still would retain the ability to compel disclosure when it is necessary to prevent certain consequences (death, kidnapping, substantial bodily harm, terrorist activities, or “significant and articulable harm” to national security). To invoke the protection of the proposed law, a journalist must have promised or agreed to keep the information in question (or the source of such information) confidential, and the information must have been obtained for the purpose of “engaging in journalism.” In the wake of revelations that the Justice Department secretly obtained communications records of Associated Press and Fox News reporters, the bill would also generally prevent the federal government from seeking similar information from journalists’ service providers.

The question of who is eligible to invoke the reporter’s privilege has been a significant issue during previous attempts to draft a federal shield law. Reporters have been concerned that any attempt to define a “journalist” could potentially lead to future government interference, including licensing of journalists. While the Society of Professional Journalists and Newspaper Association of America have acknowledged this issue, the organizations consider the Senate bill’s current definition of a “covered journalist” broad enough to merit support. Those eligible to invoke the privilege under the Senate bill would include college journalists, freelancers, bloggers, anyone working for a “news website,” and most anyone else who is gathering information with the intent to disseminate it in a public manner (as well as traditionally-employed print and broadcast reporters). It would, however, exclude certain groups like Wikileaks, whose principle function is merely to publish primary source documents that were disclosed without authorization. Importantly, the bill also would grant judges broad discretion to extend the reporter’s privilege to any party when doing so is “in the interest of justice,” helping ensure the law would be flexible enough to cover new and emerging media practices.

The impact the proposed law would have on cases like that of Risen is a point of considerable debate. This is particularly true with respect to the national security exception in the bill, which would allow the government’s interests to trump the reporter’s privilege in matters with national security implications. The language of the bill indicates that the government may only use the exception if the information being sought is intended to prevent a future act of terrorism or future harm to national security. Under this standard, a court could find that the identity of a source of years-old leaked information is not needed by the government to prevent such future harm. However, SPJ president Sonny Albarado has said he believes courts are so sensitive to the federal government’s national security interests that even the language of the Senate bill would not have been sufficient to protect Risen from being compelled to divulge sources. Despite these concerns, a host of professional journalism organizations, including Albarado’s SPJ, have backed the bill, believing its protections are a substantial upgrade over the current federal court climate faced by reporters.

While Sen. Chuck Schumer (D-N.Y.) stated in March that he believes it is “very likely” a shield bill will pass the Senate this year, the lack of recent movement has some observers skeptical. On June 11, 75 media companies and journalism organizations sent an open letter to Senate Majority Leader Harry Reid (D-Nev.) and Senate Minority Leader Mitch McConnell (R-Ky.), urging both to schedule a floor vote on the bill as soon as possible. Professional organizations, such as SPJ and the NAA, have called for members and others to contact undecided senators to convey interest in the bill’s passage.

The attention surrounding the Risen case has brought a renewed focus to years-old calls for meaningful federal recognition of a reporter’s privilege. This is an issue that warrants the attention of all journalists.

Editor's note:  Brooks Pierce summer associate Patrick Southern played a primary role in drafting this post.